Those of us that are wary about malware and viruses in software always say, “Read the permissions!”, meaning that you should really understand what you are giving the app permission to do when you install it. Google makes you click through an app’s security permission list when installing for a reason – so it’s not their fault if you allow an app to steal your information!
However, even though I’m a programmer myself, I still find myself installing apps with security permissions that I don’t fully understand! It’s not easy to know what all of the various mysterious-sounding permission names mean, so I decided it might be a good idea to dive in and find out what a few of these permissions really allow the app publishers to do and share that info here.
The first one I want to research is one of the most common: Phone Calls – Read Phone State & Identity. Why would a ringtone app need to know my phone’s unique identifier? Why would a wallpaper app need to know whether I’m in a call or not? What do phone state and identity really mean anyway?
The first place I looked for information was the Android SDK documentation – which is the reference material developers use when building their apps. The list of permissions was interesting, but not particularly enlightening. It said that “READ_PHONE_STATE” allows your app to access the state of the phone. OK, so what does that mean? Digging deeper, I found the various values for “phone state” listed here, which include “Call State – Ringing” and “Data Connected”. So, basically the app can tell whether you’re in a call or not and what the state of your data connection is.
But the more concerning part of the permission is the “identity” part. Allowing an app to track a phone’s unique identifier allows them to track your usage of the app, and allow a developer to know whether one person has downloaded several of their apps. Basically, it’s like letting Google track your search history: it may not know who you are exactly, but tracking your usage over time allows a company to build a profile of your individual activity.
It turns out that the main reasons developers give for needing this permission are:
Since most free app developers rely on advertising to fund their businesses, you can see why so many apps need this permission, but you also have to understand the trade-off: both the advertiser and the app publisher can track your usage of the app, and your usage across multiple apps if they collect all that data centrally (which advertisers definitely do).
This one is pretty tough to avoid, so I’d say just be especially wary of typically-suspicious apps (like ringtone apps) that use this permission and only install apps with this permission from developers you trust.
I rely a lot on the app’s marketplace rating to determine safety. Although it’s not a definite indicator (a developer could create a really great app and still use your information maliciously, or a developer with good intentions could just publish a really poor app), if I see an app with a really poor rating, especially if a developer has multiple apps with really poor ratings, I am suspicious that they may be spending too little time on improving their application because their reason for wanting you to download their app has nothing to do with its quality, they just want your information or ad impressions.
So, overall, keep your eyes open and uninstall apps that make you suspicious, but keep in mind that sometimes dangerous-sounding permissions are necessary for non-malicious purposes.
I do have a suggestion for Google, though – allow us to opt-out of individual permissions! If we download an app and find that it can run just fine without reading our “identity”, then we should be able to disable that “feature” of each app on an individual basis.
On a related note, I just heard about an app today called “Privacy Blocker” that claims to do just that, and I hope to review it here in the future!
What other permissions do you want us to explore here on WomenWithDroids? Let us know in the comments!